Gaming security by obscurity
Pavlovic, Dusko (2011) Gaming security by obscurity. In: The New Security Paradigms Workshop (NSPW) , September 1215, 2011, Marin County, CA, USA.

PDF
560kB 
Abstract:  Shannon [40] sought security against the attacker with unlimited
computational powers: if an information source conveys some information, then Shannon’s attacker will surely extract that information. Diffie and Hellman [13] refined Shannon’s attacker model by taking into account the fact that the real attackers are computationally limited. This idea became one of the greatest new paradigms in computer science, and led to modern cryptography. Shannon also sought security against the attacker with unlimited logical and observational powers, expressed through the maxim that ”the enemy knows the system”. This view is still endorsed in cryptography. The popular formulation, going back to Kerckhoffs [24], is that ”there is no security by obscurity”, meaning that the algorithms cannot be kept obscured from the attacker, and that security should only rely upon the secret keys. In fact, modern cryptography goes even further than Shannon or Kerckhoffs in tacitly assuming that if there is an algorithm that can break the system, then the attacker will surely find that algorithm. The attacker is not viewed as an omnipotent computer any more, but he is still construed as an omnipotent programmer. The ongoing hackers’ successes seem to justify this view. So the DiffieHellman step from unlimited to limited computational powers has not been extended into a step from unlimited to limited logical or programming powers. Is the assumption that all feasible algorithms will eventually be discovered and implemented really different from the assumption that everything that is computable will eventually be computed? The present paper explores some ways to refine the current models of the attacker, and of the defender, by taking into account their limited logical and programming powers. If the adaptive attacker actively queries the system to seek out its vulnerabilities, can the system gain some security by actively learning attacker’s methods, and adapting to them? 
Item Type:  Conference or Workshop Item 
Faculty:  Electrical Engineering, Mathematics and Computer Science (EEMCS) 
Research Group:  
Link to this item:  http://purl.utwente.nl/publications/80238 
Conference URL:  http://www.nspw.org/2011 
Export this item as:  BibTeX EndNote HTML Citation Reference Manager 
Repository Staff Only: item control page